HIPAA Breach Notification Rule, continued

How to Subscribe
Individual course$25Add to cart
Need multiple seats for your university or lab? Get a quote
The page below is a sample from the LabCE course HIPAA Privacy and Security Rules for All Healthcare Personnel. Access the complete course and earn ASCLS P.A.C.E.-approved continuing education credits by subscribing online.

Learn more about HIPAA Privacy and Security Rules for All Healthcare Personnel (online CE course)
HIPAA Breach Notification Rule, continued

The HITECH Act requires a business associate to notify the covered entity when it discovers a breach of unsecured PHI. If the business associate acts on behalf of the covered entity, the business associate must notify the covered entity as soon as possible and no later than 60 days following the discovery of a breach.
The covered entity is then required to notify HHS of the breach within a certain allotted time, which is determined according to when the business associate (if acting as an agent of the covered entity) discovered the breach. There are differences in reporting based on the number of affected patients:
  • If a breach affects more than 500 patients:
    • Covered entities are required to notify HHS immediately
    • The term "immediately" is interpreted by 45 CFR Part 164 as "without unreasonable delay but in no case later than 60 calendar days following the discovery of a breach."
    • For example, if a breach affecting more than 500 individuals occurred on December 5, 2018, and was discovered on January 1, 2019, the covered entity would have until March 1, 2019 (60 calendar days) to report the breach to HHS.
  • If a breach affects fewer than 500 patients:
    • Covered entities must notify HHS no later than 60 days after the end of the calendar year in which the breach was discovered (not when the breach occurred).
    • For example, if a breach affecting fewer than 500 individuals occurred on December 5, 2018, and was discovered on January 1, 2019, the covered entity would have until March 1, 2020 (60 days after the end of the calendar year in which the breach was discovered) to report the breach to HHS.
Business associate agreements (BAA) must cover how and when the business associate will notify the covered entity of a suspected breach.